#32718: [3.2.1] Issue with assigning file to FileField -------------------------------------+------------------------------------- Reporter: Jakub Kleň | Owner: nobody Type: Bug | Status: new Component: Database layer | Version: 2.2 (models, ORM) | Severity: Release blocker | Resolution: Keywords: 3.2.1 file model | Triage Stage: Accepted filefield fieldfile | Has patch: 1 | Needs documentation: 1 Needs tests: 1 | Patch needs improvement: 1 Easy pickings: 0 | UI/UX: 0 -------------------------------------+-------------------------------------
Comment (by carderm): Replying to [comment:14 Florian Apolloner]: > Replying to [ticket:32718 Jakub Kleň]: > > Correct me if I'm wrong, but file-like objects always contain the full path to the file in the `name` attribute (the built-in Django `File` class even uses it to reopen the file if it was closed), and so it seems to be a bug in Django itself. > > This is true, but according to my tests on earlier versions a full (absolute) path did fail already because it would usually be outside the MEDIA_ROOT. Can you provide some more details? I believe an absolute path outside of Media Root should fail, that is correct (in my opinion) - as an **absolute** path might be able to write shell scripts around the file system... It should however, work for a **relative** file path. **Hack example here** {{{ # Some model class FileModel(models.Model): file_field = models.FileField(_('UsersFile'), storage='users', max_length=1000) model_inst = FileModel() # Add some file new_file = ContentFile(some_file.read()) new_file.name = f"{user.name}/file.txt" # E.g. "steve/file.txt" <<< This file should only be for 'steve' model_inst.file = new_file # Save the Model model_inst.save() #<<< in Django 3.2.0 this creates file "MEDIA_ROOT/users/steve/file.txt ! which is correct model_inst.save() #<<< in Django 3.2.1 this FAILS with Path issue ! Incorrect model_inst.save() #<<< in Django Latest Git commit will create "MDEIA_ROOT/users/file.txt ! which is incorrect - missing path! # What we need to stop: bad_file = ContentFile(malicious_script.read()) bad_file.name = "/etc/init.d/nameofscript.sh" # or bad_file.name = "../../../../../usr/local/lib/bad.file" model_inst.file = bad_file # On Save we need to protect here - imho model_inst.save() # <<< This *should Fail* with Security Error }}} -- Ticket URL: <https://code.djangoproject.com/ticket/32718#comment:22> Django <https://code.djangoproject.com/> The Web framework for perfectionists with deadlines. -- You received this message because you are subscribed to the Google Groups "Django updates" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-updates+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/django-updates/064.3394b579097b7843dae73adfa6c38c93%40djangoproject.com.